Demands payment from the PC’s user in exchange for a key or code that will decrypt the files

It uses the same encryption method to communicate with its command and control server to generate a personalized TOR payment webpage for the infected machine. Earlier variants stored the private key as a file on the machine itself – Cisco/Talos created the Talos TeslaCrypt Decryption Tool tool that enables affected users to decrypt their files with the locally stored private key.

Recent variants, however, store the key in the registry as binary data.

The main callout that separates this from other ransomware threats is in the types or context of the files it targets for encryption: files related to PC games and financial or tax software in additional to other files more commonly encrypted by ransomware. The following is a list of extensions we’ve seen this threat use in relation to specific programs:

.arch00

.d3dbsp

.dayzprofile

.ibank

.mcgame​

.qdf –

.rofl

.sav

.t12/ .t13

.tax

.vfs0

.vpp_pc

.w3x

Telemetry

We saw a large spike in the number of detections for Tescrypt in late August 2015 (see Figure 1). Prior to August, infections were steady but low; after the spike, detections spiked and fell but overall have remained higher than before that first peak in late August.

Figure 1: Tescrypt encounters since August 2015

Globally, the United States remains the most infected, taking over a full third of the distribution. The chart in Figure 2 shows the distribution share of Tescrypt in September 2015; countries with less than a 1.0% share are grouped together.

Figure 2: Countries most affected by Tescrypt infections

This malware usually arrives as a payload of exploit kits. It can also be downloaded by other malware. The exploit kits we’ve seen distributing Tescrypt include:

Tescrypt has used the alias “Tesla Crypt” (and “Alpha Crypt” in earlier variants, see Figure 3), and in some cases mimics other ransomware families such as Crilock and Crowti by displaying similar screen prompts (see Figures 4 and 5).

Figure 3: Alpha Crypt

Figure 4: Example of Tescrypt that mimics Crilock

Figure 5: Example of Tescrypt that mimics Crowti

More information about this malware’s behavior can be found in our encyclopedia entry Win32/Tescrypt, and information about ransomware in general on our ransomware page.

Prevention and remediation

Our general ransomware recommendations apply for Tescrypt.

The best defense against ransomware is pre-defense: make sure you have important documents, files, and databases securely backed up in disconnected or remote storage. This can be as simple as a flash drive or a removable hard disk that you save files to once a week and then disconnect from your PC.

If you are infected, Microsoft recommends you don’t pay the fine. There is no guarantee that paying the ransom will give you access to your files. Paying extortion money such as a ransom might only encourage cybercrime to be financially successful​.

Adding a prevalent ransomware like Tescrypt, along with adding other malware, helps widen our coverage in protecting and remediating PCs that regularly run and apply the monthly MSRT update.

The MSRT update is delivered automatically by default to PCs running Windows Vista and later. You can also manually download and run the tool at any time by visiting the Malicious Software Removal Tool page at the Microsoft Safety & Security Center.